New ASA 5505 - inside cannot access outside addresses

veleveque1 · ‎08-13-2013

I was using an old Pix 501, and am having trouble getting the ASA 5505 to send internal traffic to the outside. I originally thought it was the lack of a default gateway, but that seems to be configured (When I try to manually set one up, I get a message it is already there).

My ISP provides me with a static IP address range on the outside, 67.115.92.192/29. The external GW is 67.115.92.193, and I set the outside interface of my FW to 67.115.92.198

Can't quite figure out how to get internal addresses to properly translate and send to the outside interface. I've searched these forums, but the only answer I can find is "open a TAC case with Cisco"

I'm using ADSM to configure, but logging into the console gives the following config:

ciscoasa# sho config

: Saved

: Written by enable_15 at 20:04:02.428 UTC Thu Aug 28 2008

ciscoasa# sho config

: Saved

: Written by enable_15 at 20:04:02.428 UTC Thu Aug 28 2008

!

ASA Version 8.2(5)

!

hostname ciscoasa

enable password blahblahblah encrypted

passwd blahblahblah encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 67.115.92.198 255.255.255.248

!

ftp mode passive

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.1.190-192.168.1.200 inside

dhcpd dns 68.94.156.1 68.94.157.1 interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:76ab7ed1cac11d6b62fc57f9ab330c0f

Julio Carvajal · ‎08-13-2013

Hello Vincent,

the .198 is the broadcast address! it cannot be used.

I still do not see the route statement

can you share show route?

Please check your inbox

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

veleveque1 · ‎08-15-2013

I changed the interface address and explicitly included a default route. I can ping the ISP default GW from the ASA, but internal devices on 192.168.1.0/24 still don't seem to get out. Is the default GW statement correct? I did not add a trunk stmt to the E0/0 interface yet - would this help?

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 67.115.92.193 1

AND

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 67.115.92.197 255.255.255.248

Julio Carvajal · ‎08-15-2013

Hello Vicent,

Regarding the trunk: No, that will not help.

Do the following

1) Add the following command

Fixup Protocol ICMP

capture capin interface inside match icmp any host 4.2.2.2

cap capout interface outside match icmp any host 4.2.2.2

2) From an internal machine ping 4.2.2.2

3)Provide me the output of

Show run access-Group

show cap capin

show cap capout

Let me know if you read the message I sent you to our inbox (Repy over there )

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

veleveque1 · ‎08-18-2013

Sorry about the delay - this is my home machine so I only work on it after-hours.

Everything looks good based on your advice...

fixup protocol icmp

gave me the message

INFO Converting fixup protocol icmp to MPF commands

ping to 4.2.2.2 give a reply (very good)

Here are the results of the 3 commands you request:

ciscoasa(config)# show run access-group

ciscoasa(config)# show cap capin

8 packets captured

1: 22:51:41.303649 802.1Q vlan#1 P0 192.168.1.2 > 4.2.2.2: icmp: echo request

2: 22:51:41.341321 802.1Q vlan#1 P0 4.2.2.2 > 192.168.1.2: icmp: echo reply

3: 22:51:42.310912 802.1Q vlan#1 P0 192.168.1.2 > 4.2.2.2: icmp: echo request

4: 22:51:42.326032 802.1Q vlan#1 P0 4.2.2.2 > 192.168.1.2: icmp: echo reply

5: 22:51:43.312316 802.1Q vlan#1 P0 192.168.1.2 > 4.2.2.2: icmp: echo request

6: 22:51:43.327558 802.1Q vlan#1 P0 4.2.2.2 > 192.168.1.2: icmp: echo reply

7: 22:51:44.313765 802.1Q vlan#1 P0 192.168.1.2 > 4.2.2.2: icmp: echo request

8: 22:51:44.329038 802.1Q vlan#1 P0 4.2.2.2 > 192.168.1.2: icmp: echo reply

8 packets shown

ciscoasa(config)# show cap capout

8 packets captured

1: 22:51:41.304122 802.1Q vlan#2 P0 67.115.92.197 > 4.2.2.2: icmp: echo request

2: 22:51:41.341260 802.1Q vlan#2 P0 4.2.2.2 > 67.115.92.197: icmp: echo reply

3: 22:51:42.311171 802.1Q vlan#2 P0 67.115.92.197 > 4.2.2.2: icmp: echo request

4: 22:51:42.326002 802.1Q vlan#2 P0 4.2.2.2 > 67.115.92.197: icmp: echo reply

5: 22:51:43.312560 802.1Q vlan#2 P0 67.115.92.197 > 4.2.2.2: icmp: echo request

6: 22:51:43.327512 802.1Q vlan#2 P0 4.2.2.2 > 67.115.92.197: icmp: echo reply

7: 22:51:44.314009 802.1Q vlan#2 P0 67.115.92.197 > 4.2.2.2: icmp: echo request

8: 22:51:44.329008 802.1Q vlan#2 P0 4.2.2.2 > 67.115.92.197: icmp: echo reply

8 packets shown

ciscoasa(config)#

I will try a Web site next - previously the DNS UDP traffic wasn't getting through.

Julio Carvajal · ‎08-18-2013

Hello Vincent,

As you saw traffic is going back and forward now,

Make sure you have a DNS on your computer and try some googling around

Let me know how it goes,

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

vishaw jasrotia · ‎08-13-2013

Het Vincent ,

make a default route towards the ISP .

And make

interface Ethernet0/0 as a trunk interface .

Hope this help you

Thanks & regards

Vishaw

Marius Gunnerud · ‎08-16-2013

can you ping 4.2.2.2 from the ASA?

have you confirmed that the PC's receive the correct IP addresses and default gateway? If they are getting a correct IP and default gateway, can you ping the ASA inside interface from the PC's? ( you might have to add permit statements to allow pinging the ASA itself.)

Also, the address 67.115.92.198 is fine 67.115.92.199 is the broadcast address.

--
Please remember to select a correct answer and rate helpful posts